Azure/Azure-Network-Security

[Workbook] WAF Triage no longer works by rules

noiano opened this issue · 6 comments

Describe the bug

As a Devops I've always loved the Application Gateway WAF Triage Workbook. It used to work perfectly
Recently I've noticed a strange behaviour when using the "by rules" tab.
The workbook is not able to retrieve the "Requests on selected host and url" and the third column always displays "The query returned no results."

If I use Kusto queries or the "by url" tabs I can totally see the requests and, therefore, I'm able to better investigate false positive issues

Reproduce
Steps to reproduce the behavior:

  1. Open the WAF triage workbook
  2. Click on "triage by rule" tab
  3. Click on the most common one (or any other rule listed)
  4. Click on the hostname
  5. Click on any of the host path displayed

Expected behavior

The list of requests that triggered the specific rule on that specific host and path.

Screenshots
By rule triage
By rule triage

By url triage
By url triage

Desktop (please complete the following information if applicable):

  • OS: MacOs Catalina 10.15.7
  • Browser Chrome
  • Version 103.0.5060.53 (Official Build) (x86_64)
xstof commented

Dear @noiano I just tried to repro this and could not. Would you please mind double checking your environment? Both on rulesets 3.1 and 3.2 I cannot reproduce this behaviour. There's a known issue with hostname override I believe (see README) - not sure what hostname configuration you're using?

Dear @xstof thank you for taking the time to reply. I'm not super expert in this area but, running the following query I see no difference between host_s and originalHost_s

AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog"
| where TimeGenerated > ago(7d)
| project host_s, originalHost_s
xstof commented

Hey @noiano, that is expected. host_swill only be different from originalHost_s if you're doing hostname override. If you believe there's a bug in the workbook, I'm afraid I'll need some more hints/info/instructions as I can't reproduce the error on my side.

xstof commented

Closing this item to keep backlog clean - feel free to reopen when you'd have more information on how to repro.

xstof commented

@tobystic can you close this one pls?

Oh alright ... I'll try to gather more info ... I'll reopen this if necessary. Thanks for your time